Roger Halbheer on Security
It is in my opinion a controversial discussion: Do you allow the use of USB sticks in a corporate environment and if yes, how? Obviously, today there are a lot of other means to exchange information but the USB stick still seems to be important for users. To have a presentation for an event on…
In the meantime I guess that most of us agreed that Consumerization of IT or Bring Your Own Device or how ever you want to call this will become a reality – probably rather sooner than later. In the meantime our team in France published a few papers/guides, which are definitely worth looking at: I…
I know that I keep going and going on that. When I talk to customers and mainly to providers of the critical infrastructure about security, one of the key things to me is to keep the software updated. It is about patching and it is about staying on the latest version of your software. To…
The Australian Defense Signals Directorate maintains a list of the Top 35 Mitigation Strategies against targeted intrusions. This is just a reference to the top strategies: Patch Applications Patch the Operating System Minimize the use of local admin Application whitelisting … Looking at these 35 strategies, the DSD claims that While no single strategy can…
A result of a study by Kasperski lab is fairly promising – even though it shows the problem being raising up the stack: For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found…
A very good overview over the way we run Microsoft’s Cloud. The interesting thing is – if you look at the video – that most customers are still running their datacenters on generation 1-2, which means that the efficiency (labor as well as energy) we can deliver is significantly higher – not talking of our…
Quite a while ago, I blogged about the File Classification Infrastructure in Windows Server 2008 R2: File Classification Infrastructure in Windows Server 2008 R2 File Classification Infrastructure:More content In my opinion, this is an interesting tool, built in to your server platform. Now, we just published a paper about how we use this File Classification…
To me, one of the benefits of moving to the Cloud is security – obviously besides availability and costs. Recent incidents made me doubt: Amazon not only having significant downtime but in the same time losing customer data. Sony’s game network being significantly compromised. This is definitely not to blame them but I was heavily…
A few years ago, I wanted to run an exercise with our incident response team in Switzerland. A customer, the government and me came together to develop the goals and the scenario. One of the key question we tried to answer together with the university, which we wanted to use as observers was, whether we…
A while ago we released the Microsoft Security Update Guide to explain how we release security updates and how you should/could work with our updates. It encompasses these themes: Get to know the security update release process Learn how to evaluate risk See how to mitigate security risks Understand how quickly you need to apply…
Do you know the feeling? You should share a large file with somebody outside your organization. The file is too big to be sent by e-mail. What can you do? Well, you might have a service by internal IT (we have one) which is not really user-friendly, hard to use and – as you do…
A new version of this guide went live – I think something, you should look at. There is a metrology and a process in detail:
So, if you want to learn more: http://technet.microsoft.com/en-us/library/cc162838.aspx
Roger
The longer the more I see articles and posts that claim that security could actually improve if you migrate to the Cloud. And the longer the more I am a firm believer of these statements. It is not about forgetting best practices and just handing over everything to the Cloud provider. It is about adapting your practices to the new reality.
You might know about Bluehat, which is an internal security conference we run several times an year. Some of the presentations we record and make them publically available. There is a really good one on the Microsoft Security Response Center. Dustin (the presenter) blogged on it Behind the Curtain of Second Tuesdays: Challenges in Software…
A quick one: An interesting download location: With the SDL Quick Security References (QSR), the Security Development Lifecycle (SDL) team introduces a series of basic guidance papers designed to address common vulnerabilities from the perspective of multiple business roles – business decision maker, architect, developer, and tester/QA. These papers will help you address a critical…
Since quite a while I am not satisfied with the way we (in the industry) are doing risk management. In my early days, before I was actually entering the security space, I was doing project management and as part of it risk management. The way we did it was fairly simple (as probably most of…
I read an article called that way but then had to realize that it did not really address, what I expected. Why? Well, because it does not cover the key challenge in my opinion but…
I was reading an interesting article: Forrester Pushes ‘Zero Trust’ Model For Security, where they mainly claim that you should not trust your internal network – something I am asking for since a long time. However, the conclusions Forrester and me are drawing are slightly different. John Kindervag – the person quoted in the article…
Sometimes I wonder whether I am too paranoid. I just got a call, which went like that: Caller: “Hello, we are doing a health insurance survey and have just three questions for you, would you mind to join in? Just 20 seconds. We do it for Health Insurance statistics.†Me: Was in a very good…
I blogged often about it: Blocking certain websites today can fire back in different ways. The CIO published an article called Workarounds: 5 Ways Employees Try to Access Restricted Sites – and they say: “Some workarounds can be dangerous because they might create a channel that data can flow out through that is not managed…
